Using http user agent to secure folders?

Forum Moderators: phranque

Message Too Old, No Replies

Using http user agent to secure folders?

Letting just my user agent string into the folder

MrWumpus

6:21 pm on Feb 16, 2009 (gmt 0)

I know a lot of people use http_user_agent to block bad bots and spiders, but what about using it to let only one particular user agent string (me) in? I could set the string in my FireFox browser and then that should make me the only one who can access my Wordpress wp-admin folder, right?

There are other strategies, such as renaming the wp-admin folder, or filtering by IP address, but they are more of a hassle. This one occurred to me as being a simple strategy.

If you think this is a good idea could you recommend what I should put in my .htaccess to do it?

The only side-effect I can think of is would this affect the scripts themselves as they access the wp-admin folder?

wilderness

7:32 pm on Feb 16, 2009 (gmt 0)

Your restriction could be more precisely focused if you used multiple conditions?

Requiring both the browser UA and a specific IP range.

jdMorgan

3:21 pm on Feb 17, 2009 (gmt 0)

The HTTP Referer header is one of the easiest request headers to spoof. Your admin folder should be password-protected, and you should avoid intentionally creating security holes such as described here.

Understand that your "special" browser UA will be logged by any site that you visit. Some of these sites may publish their referrer logs (as a kind of a "brag" page) thus revealing your "secret admin access key" to the world.

Jim